New test

tests/01_vm_and_boot_counting/99grub2-emu

@@ -0,0 +1 @@
+../../99grub2-emu/

tests/01_vm_and_boot_counting/README

@@ -0,0 +1,20 @@
+test.sh is a naive script that: 
+- creates an SB-enabled VM with /boot partition
+  - custom SB key already enrolled
+  - /etc/pki/pesign db with said key
+- installs fedora38-- change that by editing virt-install command
+- installs packages needed for signing, etc.
+- installs a new kernel according to repo in install_fedora.ks (currently
+  Robbie's kernel-6.3.0-0.rc2.89f5349e0673.24.test.fc38)
+- implements naive boot logging scheme using systemd target
+- signs new kernel and reboots into it
+- gets correct config files from etc/ and 99grub2-emu/
+- builds nmbl using dracut command
+- allows user to boot using nmbl
+
+This has been tested on hypervisors in Beaker, and seems to be relatively
+robust. It's important to tar xhf this entire directory and then scp the
+tar archive in order to preserve symlinks which point to other directories
+in this repo.
+
+Once you extract the tar archive simply ./test.sh name_of_vm to execute.

tests/01_vm_and_boot_counting/boot-count.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Counting boot success
+Wants=boot-complete.target
+
+[Service]
+ExecStart=/bin/bash /usr/sbin/boot_count.sh
+
+[Install]
+WantedBy=multi-user.target

tests/01_vm_and_boot_counting/boot_count.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+kern=$(grubby --default-kernel | cut -d'/' -f3 | cut -d'-' -f2-5)
+entry=$(efibootmgr | grep BootCurrent | cut -d':' -f2)
+entry=$(printf 'Boot%s' $entry)
+ebe=$(efibootmgr | grep $entry | cut -f1)
+echo "[$(date '+%H:%M:%S  %d-%m-%Y')] default kernel: $kern" >> /var/log/entry_booted.txt
+echo "[$(date '+%H:%M:%S  %d-%m-%Y')] booted entry $ebe : $(uname -r)" >> /var/log/entry_booted.txt

tests/01_vm_and_boot_counting/config

@@ -0,0 +1,4 @@
+Host IPADDR
+   StrictHostKeyChecking no
+   UserKnownHostsFile=/dev/null
+   User root

tests/01_vm_and_boot_counting/etc

@@ -0,0 +1 @@
+../../etc/

tests/01_vm_and_boot_counting/id_rsa_test

@@ -0,0 +1,39 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA358s8AbOAQOnj7IpBom5PuSt84j0UKyOyTNJvUoPqZd58mOZUiiU
+aPLDEHvqH84frVW/irBLEefs1lt0PvvKhbNTOZN+W56D4jIS34z2Q6PKb2jsSruqxpgJgt
+GKr1ZjLYdwHMGy0DE3262KcMM4Oa0K8dfnOgbewWGTwPgw2BOcYcFREFIAaK+FvrDQ7qQF
+dggvFX62qMWeNAovSVFg2QiOevvMGAg1ehCENpgLDJ6G1p8AMYXeHONRMQsgdjCHqElI43
+nBKkZhC5UuuGo4L06wb12gNRWmrLdCcgrPNLi5LE94Ao8IR6ynJLdrbu0z82JdH3Z6mxya
+gSrPH8XAMQsS1btC7u4crXnTYQ7tpsMVQAJRuHZWR8OFYIkbgF1ughbR78d+O48khfrM+K
+1mmVUJbTx2z22jkT2TDc+qDLqumgG+WFLWXL+13XyldVNQIjFRZ9cXzm743TFw85mCaTB1
+53Thmys+neG78jpjHvGEPOe42CiM1NateWGfzccxAAAFqCYXfYImF32CAAAAB3NzaC1yc2
+EAAAGBAN+fLPAGzgEDp4+yKQaJuT7krfOI9FCsjskzSb1KD6mXefJjmVIolGjywxB76h/O
+H61Vv4qwSxHn7NZbdD77yoWzUzmTflueg+IyEt+M9kOjym9o7Eq7qsaYCYLRiq9WYy2HcB
+zBstAxN9utinDDODmtCvHX5zoG3sFhk8D4MNgTnGHBURBSAGivhb6w0O6kBXYILxV+tqjF
+njQKL0lRYNkIjnr7zBgINXoQhDaYCwyehtafADGF3hzjUTELIHYwh6hJSON5wSpGYQuVLr
+hqOC9OsG9doDUVpqy3QnIKzzS4uSxPeAKPCEespyS3a27tM/NiXR92epscmoEqzx/FwDEL
+EtW7Qu7uHK1502EO7abDFUACUbh2VkfDhWCJG4BdboIW0e/HfjuPJIX6zPitZplVCW08ds
+9to5E9kw3Pqgy6rpoBvlhS1ly/td18pXVTUCIxUWfXF85u+N0xcPOZgmkwded04ZsrPp3h
+u/I6Yx7xhDznuNgojNTWrXlhn83HMQAAAAMBAAEAAAGAPo0r6Mg+f5IiINPZHfcQVkNpVS
+IOFTLvjeBG1CgPUYUJm3+4t36aZPDjF41R5CuoOLgvp//AP/X8DcnvLl8IO3X55bUYN1CT
+24XeOaIYkLsUOS3ESvNLxdlpb6plfL5RZ77m4WRdPFdIJK7adshkxd1dnmCiUVzymm1NA0
+FpiEeUCtQkdMg7TQ0sADc9ekNvM6D+aqjTN0pwAmaG659T0+HM2SHt6RsCum48TXkiPhlp
+5kb7qt6jTrlXULyoC+duxNNGiIdnqm0hfB8PLeiMT7bvE+hbhUF1vomrVLog96c41zIkK9
+W5arB75/DRMjVR7G5xfkNGk0g30f0CUuliTg31yapT+lwTQgh0o6pzqMpFUxqGK+y2mpHQ
+Z5buTEE6NrrZcfjXr8jUzdRQ+bRuukd10rQeoCw/CPauVecKGFuy4mD4IxPDM3BoBf/3fk
+OqdeVB2XdTIDE0E2/sdxG1MX2gbOfYLk8+IsjWnu5foxMb+3WHf2l62PWTCiZKbLXxAAAA
+wQCy1vqfZ8bIQ+OmUMwKB2ZOEBIikn6LuqcaGvqnl8mBPyRhYcJZPo4lSMWI2MisCh0GXr
+Jc8OFn1yz91GXzowmis1DDWwzdT88M18iIOhyo2zQq/3uhJ4B3ix/uMdUwHe081HAYcQDW
+n4V+3p1+Nv/lH8BIg0F2xVYwXePEs5OoTWLQbd5byz9wasi+R+oWaKttO3h655HuJasl/I
+hyUVFvNkhguEMqcC43gyh9I4HadZVtilyfmZtCv6ganW/O1rQAAADBAP2Q0BknDrErBOGE
+x6GdbMYQmXPqKh/+zsoym3HXjbL34AYNhEcGl8Vwz4j6HkWN644L6MboCtfmjgzFWJp65n
+BPc/hLBbUHSKeqOHpN6z2ElFHbs60lXm+vOgUYJG5/wBWhIvLPONbF3aKEutHm//+hY5r5
+R6aO8DWn4hLsCd4e4Ojggkv8zGVQ+gLvktsm+Q+qnHppu9HJwLeS/85vyuf+dhogS8r5J7
+rCBKqAaIev/Qrr8mgZVUBpTBlUAF8zFwAAAMEA4cTFCkELCgyAu/WLYjaBAPcN8wY1tfLF
+yWPWVd3vpiukm8xg6JWaybTLtFzt77Dj8AeOJIqSFHJG2hpwxLIsClnQeQDHPkIF0bLpjH
+F55zv14Qa0TC8G0v2EtFJUB6aDsUM9o7tOYNAjqRLFX56RS1uAXaiMjRiUyURe+LEEkYJX
+sIR1ziq3eXoUoqMBFlvPUGvl7utBoN13FzUYEJOe/nJgoCMUTYzoxoniLsy2JNG2XCK5IV
+dMjG8AEsg9BeT3AAAAMnJvb3RAaHBlLWRsMzYwZ2VuMTAtMDEuaHBlMi5sYWIuZW5nLmJv
+cy5yZWRoYXQuY29t
+-----END OPENSSH PRIVATE KEY-----

tests/01_vm_and_boot_counting/id_rsa_test.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfnyzwBs4BA6ePsikGibk+5K3ziPRQrI7JM0m9Sg+pl3nyY5lSKJRo8sMQe+ofzh+tVb+KsEsR5+zWW3Q++8qFs1M5k35bnoPiMhLfjPZDo8pvaOxKu6rGmAmC0YqvVmMth3AcwbLQMTfbrYpwwzg5rQrx1+c6Bt7BYZPA+DDYE5xhwVEQUgBor4W+sNDupAV2CC8VfraoxZ40Ci9JUWDZCI56+8wYCDV6EIQ2mAsMnobWnwAxhd4c41ExCyB2MIeoSUjjecEqRmELlS64ajgvTrBvXaA1Faast0JyCs80uLksT3gCjwhHrKckt2tu7TPzYl0fdnqbHJqBKs8fxcAxCxLVu0Lu7hytedNhDu2mwxVAAlG4dlZHw4VgiRuAXW6CFtHvx347jySF+sz4rWaZVQltPHbPbaORPZMNz6oMuq6aAb5YUtZcv7XdfKV1U1AiMVFn1xfObvjdMXDzmYJpMHXndOGbKz6d4bvyOmMe8YQ857jYKIzU1q15YZ/NxzE= [email protected]

tests/01_vm_and_boot_counting/install_fedora.ks

@@ -0,0 +1,37 @@
+text
+timezone Europe/Prague --utc
+keyboard --vckeymap=us --xlayouts='us'
+lang en_US.UTF-8
+rootpw fedora1357
+zerombr
+clearpart --all --initlabel
+reqpart
+part /boot --size 1024
+part swap --fstype swap --recommended --label SWAP
+part / --size 2048 --grow
+
+reboot
+
+%post
+echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
+
+mkdir /root/.ssh
+cat > /root/.ssh/authorized_keys << EOF
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfnyzwBs4BA6ePsikGibk+5K3ziPRQrI7JM0m9Sg+pl3nyY5lSKJRo8sMQe+ofzh+tVb+KsEsR5+zWW3Q++8qFs1M5k35bnoPiMhLfjPZDo8pvaOxKu6rGmAmC0YqvVmMth3AcwbLQMTfbrYpwwzg5rQrx1+c6Bt7BYZPA+DDYE5xhwVEQUgBor4W+sNDupAV2CC8VfraoxZ40Ci9JUWDZCI56+8wYCDV6EIQ2mAsMnobWnwAxhd4c41ExCyB2MIeoSUjjecEqRmELlS64ajgvTrBvXaA1Faast0JyCs80uLksT3gCjwhHrKckt2tu7TPzYl0fdnqbHJqBKs8fxcAxCxLVu0Lu7hytedNhDu2mwxVAAlG4dlZHw4VgiRuAXW6CFtHvx347jySF+sz4rWaZVQltPHbPbaORPZMNz6oMuq6aAb5YUtZcv7XdfKV1U1AiMVFn1xfObvjdMXDzmYJpMHXndOGbKz6d4bvyOmMe8YQ857jYKIzU1q15YZ/NxzE= [email protected]
+EOF
+
+cat > /etc/yum.repos.d/kernel.repo << EOF
+[kernel]
+name=rh_kernel
+baseurl=http://file.emea.redhat.com/mlewando/nmbl_kernel/
+enabled=1
+gpgcheck=0
+
+[grub-89]
+name=grub-89
+baseurl=http://file.emea.redhat.com/mlewando/grub2-2.06-89.fc38.x86_64/
+enabled=1
+gpgcheck=0
+EOF
+%end
+

tests/01_vm_and_boot_counting/key_db/pkcs11.txt

@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:./etc/pki/pesign' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical
+

tests/01_vm_and_boot_counting/make_nmbl.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+echo -e '\n\nsetting up config files...'
+
+mkdir /etc/dracut-grub2.conf.d/
+rsync -avP --del 99grub2-emu/ /usr/lib/dracut/modules.d/99grub2-emu/
+cp etc/dracut-grub2.conf.d/grub2-emu.conf /etc/dracut-grub2.conf.d/
+cp etc/dracut.conf.d/grub2-emu.conf /etc/dracut.conf.d/
+mv /etc/grub.d/10_linux{,.bak}
+cp etc/grub.d/10_linux /etc/grub.d/
+
+kernel=$(uname -r)
+
+echo -e '\n\ncreating new nmbl bootloader...'
+
+dracut --verbose --confdir /etc/dracut-grub2.conf.d/ --no-hostonly ./nmbl.uki $kernel --uefi --kernel-cmdline "debug=all console=ttyS0 boot=$(awk '/ \/boot / {print $1}' /etc/fstab) rd.systemd.gpt_auto=0" --xz
+pesign -s -c 'Sids Secureboot' -i nmbl.uki -o nmbl.uki.signed
+
+mv /boot/efi/EFI/fedora/grubx64.efi{,.bak}
+cp nmbl.uki.signed /boot/efi/EFI/fedora/grubx64.efi

tests/01_vm_and_boot_counting/setup.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+dnf install -y libvirt qemu-kvm virt-install policycoreutils-python-utils
+
+systemctl start libvirtd
+
+tmp_dir=$(mktemp -d)
+chmod +rx $tmp_dir
+# Use appropriate SELinux context for the log files
+semanage fcontext -a -t virt_log_t "$tmp_dir(/.*)?"
+restorecon $tmp_dir
+
+chmod 600 id_rsa_test

tests/01_vm_and_boot_counting/sign_kernel.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+kernel=$(grubby --default-kernel)
+
+pesign -s -c 'Sids Secureboot' -i $kernel -o $kernel.signed
+
+pesign -r --signature-number 0 -i $kernel.signed -o $kernel.2sig
+pesign -r --signature-number 0 -i $kernel.2sig -o $kernel.signed --force
+
+mv $kernel{,.bak}
+cp $kernel.signed $kernel
+
+echo -e '\n\nkernel is signed with:\n'
+pesign -S -i $kernel
+
+echo -e '\nrebooting into new kernel...\n'
+sleep 2
+reboot

tests/01_vm_and_boot_counting/test.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+if [[ $# != 1 ]]; then
+    echo 'usage: ./test.sh virt_name'
+    exit
+fi
+
+virtname=${1}
+
+. setup.sh
+wd=`pwd`
+
+virt-install --os-variant fedora-unknown --name $virtname --memory 4096 --boot loader=/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash,nvram_template=${wd}/nmbl_VARS.fd,loader_secure=yes --features smm.state=on --vcpus 2 --disk size=20 --noautoconsole --graphics none --serial file,path=${tmp_dir}/console_output.log 2> $tmp_dir/qemu_err_output.log --initrd-inject=${wd}/install_fedora.ks --tpm model=tpm-crb,backend.type=emulator,backend.version=2.0 --extra-args 'console=ttyS0 inst.ks=file:/install_fedora.ks' --location=http://download.eng.bos.redhat.com/released/fedora/F-38/Beta/1.3/Server/x86_64/os/
+
+if [[ -s $tmp_dir/qemu_err_output.log ]]; then
+    echo -e '\nthere was some problem with the installation.\nplease check' $tmp_dir/qemu_err_output.log
+    exit
+fi
+
+echo -e '\nplease wait for the installation to finish.'
+echo 'console output in being redirected to:' $tmp_dir/console_output.log
+
+while :
+do
+    sleep 30
+    if [[ $(grep Rebooting $tmp_dir/console_output.log) ]]; then
+        sleep 5
+        echo 'installation successfully completed.'
+        break
+    fi
+done
+
+echo -e '\nwill attempt to start' $virtname
+virsh start $virtname
+sleep 30
+
+virt_ip=$(virsh domifaddr --domain $virtname | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
+
+cp -f config /root/.ssh/
+sed -i "s/IPADDR/${virt_ip}/" /root/.ssh/config
+
+echo -e '\ninstalling necessary packages...\n'
+ssh -i id_rsa_test root@$virt_ip 'dnf install -y pesign mokutil keyutils rsync git emacs-nox dracut-network grub2-emu binutils systemd-ukify systemd-boot-unsigned systemd-networkd kexec-tools btrfs-progs lvm2'
+
+echo -e '\n\nadding boot counting...\n'
+scp -i id_rsa_test boot-count.service root@$virt_ip:/etc/systemd/system/.
+scp -i id_rsa_test boot_count.sh root@$virt_ip:/usr/sbin/.
+ssh -i id_rsa_test root@$virt_ip 'systemctl daemon-reload'
+ssh -i id_rsa_test root@$virt_ip 'systemctl enable boot-count.service'
+
+echo -e '\n\ninstalling new kernel...\n'
+ssh -i id_rsa_test root@$virt_ip 'dnf install -y kernel-6.3.0'
+
+scp -r -i id_rsa_test etc/ 99grub2-emu/ sign_kernel.sh make_nmbl.sh root@$virt_ip:.
+scp -i id_rsa_test key_db/* root@$virt_ip:/etc/pki/pesign/.
+
+ssh -i id_rsa_test root@$virt_ip 'source sign_kernel.sh'
+sleep 60
+ssh -i id_rsa_test root@$virt_ip 'source make_nmbl.sh'
+
+sleep 10
+
+echo -e '\nshutting down machine.'
+virsh shutdown $virtname
+sleep 15
+
+echo -e '\n\nto boot using nmbl run: virsh start' $virtname
+echo 'serial console output is here:' $tmp_dir/console_output.log
+echo "you can connect using: ssh -i id_rsa_test root@$virt_ip"